The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

CMMC Compliance

CMMC Incident Response Plan: Requirements, Testing, and a Free Template

By The Defense Compliance Report Editorial Team · Last reviewed: · Primary sources verified:

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. This is educational research, not legal, contractual, or compliance advice.

Already dealing with a live incident?

If a cyber incident may affect a covered contractor information system, Covered Defense Information (CDI), or your ability to perform contract work designated as operationally critical support, the DFARS 252.204-7012 reporting clock may already be running — 72 hours from discovery. The legacy DIBNet portal was retired June 6, 2025; reports now go through DC3’s Incident Collection Format (ICF). Do not submit CUI, incident indicators, or contract details through this site. See our DFARS 7012 incident reporting guide for the current filing path.

A CMMC incident response plan is the written, tested capability a defense contractor uses to detect, analyze, contain, recover from, report, and test its response to cyber incidents that touch Controlled Unclassified Information (CUI). For CMMC Level 2, it has to satisfy three NIST SP 800-171 Revision 2 controls — 3.6.1, 3.6.2, and 3.6.3 — and, on any contract carrying DFARS 252.204-7012, it has to operationalize a hard 72-hourcyber-incident reporting deadline. The plan that passes an assessment is not the longest or the most polished — it’s the one whose process your people can demonstrate and whose evidence you can produce.

What changes the answer is your CMMC level and your contract clause. Level 1 (Federal Contract Information only) has no incident response control. Level 2 (you handle CUI) requires all three. Level 3 layers on enhanced requirements from NIST SP 800-172. The contract clause sets your level — not a checklist, and not us. Below, we map each control to the exact plan section that satisfies it, show what a C3PAO (CMMC Third-Party Assessment Organization) examines, and give you the complete plan structure for free.

Who needs a documented, tested IR plan — and who doesn’t:

  • You do if you’re pursuing CMMC Level 2 (you store, process, or transmit CUI), or your contract carries DFARS 252.204-7012(the “safeguarding and cyber incident reporting” clause).
  • You may not need the full IR domain if you’re strictly Level 1 — Federal Contract Information only, no CUI, no 7012 clause. Basic reporting hygiene still matters, but the three IR controls below are a Level 2 obligation.

The 30-second version

If you need to prove…Map it to…Keep this evidence
An operational incident-handling capabilityNIST 800-171 3.6.1 / IR.L2-3.6.1The plan, named roles, reporting intake, incident tickets, training records
That you track, document, and report incidentsNIST 800-171 3.6.2 / IR.L2-3.6.2Incident log, notification matrix, internal + external report records
That the capability was testedNIST 800-171 3.6.3 / IR.L2-3.6.3Tabletop scenario, attendee list, notes, after-action report, corrective actions
DFARS reporting readinessDFARS 252.204-701272-hour workflow, medium assurance certificate owner, evidence-preservation plan
One honest warning before you go further. You can download a hundred CMMC incident response plan templates today. The template is not your problem. The thing that fails assessments — every time — is a plan that describes a process nobody has actually run and can’t prove happened. Assessors don’t grade your prose. They grade evidence. The good news: once you know exactly which evidence maps to which control, this becomes a focused documentation project and one tabletop exercise away from a pass.

What does CMMC require for incident response?

Answer: CMMC Level 2 requires three incident response controls drawn from NIST SP 800-171 Revision 2: 3.6.1 (an operational incident-handling capability), 3.6.2 (tracking, documenting, and reporting incidents to internal officials and external authorities), and 3.6.3 (testing that capability). Together they require a written plan, defined roles, an incident log, a reporting path, and documented evidence that you actually tested the process.

Incident Response is one of the 14 control families in NIST SP 800-171 Rev. 2, which contains 110 security requirements in total. CMMC Level 2 maps to all 110 (NIST SP 800-171 Rev. 2). The IR family is the second-smallest — just three requirements — which is exactly why it gets underbuilt and why it generates findings out of proportion to its size.

The three controls, in NIST’s own words:

Source: NIST SP 800-171 Rev. 2, §3.6.1–3.6.3. CMMC Level 2 currently uses Rev. 2 because 32 CFR Part 170 (§170.14) sets Level 2 requirements to NIST SP 800-171 Rev. 2. NIST published Rev. 3 in May 2024, but do not build to Rev. 3 for CMMC purposes unless and until DoD amends the rule.

The evidence map (what a C3PAO examines, interviews, and tests)

A C3PAO evaluates every requirement using three assessment methods defined in NIST SP 800-171A: examine (review your plan, policies, logs, and records), interview (ask your people how it works), and test (watch the capability operate). The IR family breaks into 14 discrete assessment objectives across the three controls.

ControlAssessment objectivesHow it’s checkedThe plan section that satisfies it
IR.L2-3.6.1 (7 objectives)Capability is established; includes preparation, detection, analysis, containment, recovery, and user-response activities.Examine the plan/procedures; interview responders; review evidence the process ran.Lifecycle sections + roles + severity scheme
IR.L2-3.6.2 (6 objectives)Incidents are tracked; documented; external authorities identified; internal officials identified; authorities and officials are notified.Examine the incident log and reporting matrix; interview on who gets called and when.Incident tracking/log + internal & external reporting matrix (incl. DoD 72-hour report)
IR.L2-3.6.3 (1 objective)The incident response capability is tested.Examine test records — date, scenario, participants, findings, corrective actions.Testing & exercise procedure + retained tabletop records

Sources: NIST SP 800-171A; CMMC Assessment Guide — Level 2.

Which incident response controls can you put on a POA&M?

Answer: Under the CMMC Final Rule, only 1-point requirements can sit on a Plan of Action and Milestones (POA&M). In the IR family, that means 3.6.1 and 3.6.2 (worth 5 points each) cannot be deferred: you must fully implement incident handling and incident reporting to earn even conditional Level 2. Only 3.6.3 (worth 1 point) is POA&M-eligible, and you’d still close it within 180 days.

This is the single most consequential fact about the IR domain, and almost no page states it. When you self-assess against NIST SP 800-171, you post a score to the Supplier Performance Risk System (SPRS). You start at 110and subtract the weighted value of every requirement you haven’t fully implemented. Two of your three IR controls are worth 5 points each— and they’re not POA&M-eligible.

ControlWhat it coversSPRS point valuePOA&M-eligible?
IR.L2-3.6.1Incident handling capability5 pointsNo — must be fully implemented
IR.L2-3.6.2Tracking, documenting, reporting5 pointsNo — must be fully implemented
IR.L2-3.6.3Testing the capability1 pointYes (1-point controls only)

Source: DoD NIST SP 800-171 Assessment Methodology, v1.2.1; 32 CFR Part 170 §170.21.

The CMMC Program Rule (32 CFR Part 170) allows a conditional Level 2 status only if you score at least 88 of 110 (80%), meet all “critical” requirements, and close every POA&M item within a maximum of 180 days. Because 5-point and 3-point controls are barred from the POA&M, the practical translation is blunt: you cannot certify — not even conditionally — with your incident-handling and incident-reporting controls unimplemented. That reframes the whole “IR is just three small controls” instinct. Two of them are pass/fail gates on your certification. Treat them that way.

Not sure which controls you’re missing?The plan structure below is free; start there. If you’d rather map your exact situation to the right provider category first, Find My CMMC Path takes your level, scope, and timeline and points you to the category that fits. Non-sensitive questions only. No CUI, no incident specifics.

The DFARS 252.204-7012 72-hour rule — the part most plans underbuild

Answer: DFARS 252.204-7012 requires a contractor to report cyber incidents to DoD within 72 hours of discovery. As of June 6, 2025, the legacy DIBNet reporting portal was retired; reports now go through the DoD Cyber Crime Center’s DCISE using the Incident Collection Format (ICF). This is a contractual duty separate from the three NIST controls, and it continues to apply alongside CMMC. You also need a DoD-approved medium assurance certificate — obtained in advance — to reach the reporting portal.

Both are straightforward to stage before an incident — but they are not details you want to be discovering after the clock starts. DFARS 252.204-7012 applies to any contract involving Covered Defense Information (CDI) — the DFARS term for controlled technical information and other CUI tied to contract performance. When the clause is in your contract, five duties attach to any reportable cyber incident:

ObligationWhat the clause requiresThe detail that catches peopleClause reference
Rapidly reportReport the cyber incident to DoD.“Rapidly report” is defined as within 72 hours of discovery. No grace period for investigation or approvals.7012(c)
Medium assurance certificateYou must have one to submit a report.Provisioning takes time; ECA vendors include IdenTrust and WidePoint. Get it now.7012(c)(3)
Malicious softwareSubmit isolated malware discovered in the incident.Send it to the DoD Cyber Crime Center (DC3)not to the Contracting Officer.7012(d)
Preserve evidencePreserve images of affected systems and relevant monitoring/packet-capture data.For at least 90 days from submission of the incident report.7012(e)
Flow downInclude the clause in subcontracts involving CDI.Subs report directly to DoD and notify the next higher tier.7012(m)

Source: DFARS 252.204-7012, Acquisition.gov; certificate info at public.cyber.mil/eca.

Where do you actually file now? (verified July 2026)

QuestionWhat DFARS 252.204-7012 saysOperationally current (July 2026)What your plan should do
Where do you file?References reporting at dibnet.dod.milLegacy DIBNet portal retired June 6, 2025; dibnet.dod.mil redirects to DC3’s DCISE page; reports filed through the Incident Collection Format (ICF) at icf.dcise.cert.org.Reference both DIBNet and the ICF; verify current DC3/DCISE instructions before filing.
What do you need to access it?A DoD-approved medium assurance certificateA CAC or ECA medium assurance certificate is required. If you don’t have one, contact DC3/DCISE for assistance.Obtain the certificate in advance; keep the DC3/DCISE contact path in your plan.
How does the report reach DoD?The report includes required elementsComplete the ICF, which generates an .xml file submitted to DC3 via encrypted email or DoD SAFE; DC3 assigns an incident number.Pre-stage identifiers and owners so the ICF can be completed fast.
How long must you preserve evidence?At least 90 days from submissionUnchanged — preserve images and relevant monitoring/packet-capture data for 90 days.Preserve images, logs, packet capture, and any isolated malware.

Sources: DC3 DCISE — DIB Cybersecurity reporting; DFARS PGI 204.7303-3. Reporting mechanics change without a rule change — confirm current DC3/DCISE instructions before you file.

The sequence a real incident demands

The instinct after finding ransomware or unauthorized access is to contain and restore fast. That instinct is right operationally, but it collides with your preservation duty. Your plan should encode a preserve-before-you-rebuild discipline:

  1. 1Contain or isolate the affected system to limit damage, where it's safe to do so.
  2. 2Preserve and protect images of affected systems and relevant monitoring/packet-capture data before destructive remediation.
  3. 3Report the incident through the current DC3/DCISE ICF process within 72 hours, when DFARS 252.204-7012 applies.
  4. 4Then finish eradication and recovery — while keeping the required evidence intact.
Wiping or rebuilding an affected system without preserving the required images, logs, and packet-capture data can create a DFARS preservation problem on top of the original incident. Preserve for 90 days from report submission (DFARS 252.204-7012(e)).

One reassurance worth knowing

Reporting an incident is not, by itself, an admission that you failed. DFARS states that a cyber incident report “shall not, by itself, be interpreted as evidence that the contractor or subcontractor has failed to provide adequate security” or otherwise failed to meet the clause (DFARS 204.7302(d)). Report on time and document honestly — the protection is real, but it doesn’t cover an inaccurate SPRS score, which is where False Claims Act exposure lives. And the CMMC Final Rule did not repeal the cyber clause: DFARS 252.204-7012 remains active and keeps its 72-hour reporting, malicious-software, and preservation duties. Full DFARS 252.204-7012 clause breakdown →

What to put in your CMMC incident response plan

Answer: A CMMC-ready incident response plan needs, at minimum: purpose and scope tied to your CUI boundary; clear definitions; named roles with an accountable incident lead; the full handling lifecycle; a severity scheme; an incident log; an internal and external reporting matrix that includes the DoD 72-hour report; evidence-preservation and malware-handling procedures; a testing procedure; and a maintenance section. Every section should trace to a control or a DFARS duty — that traceability is what turns a template into evidence.

The lifecycle in sections 4–8 follows the four-phase model most practitioners use — Preparation; Detection & Analysis; Containment, Eradication & Recovery; Post-Incident Activity — which comes from NIST’s incident-handling guidance, NIST SP 800-61 (updated to Revision 3 in 2025). Note that 800-61 is guidance, not a CMMC requirement — 3.6.1 itself already lists the lifecycle elements you must cover.

Free template — 13-section structure (yours to copy and adapt)

  1. 1Purpose and scope — the systems, users, cloud services, and enclaves that process, store, or transmit CUI (your assessment boundary). (3.6.1)
  2. 2Definitions — event vs. incident vs. reportable cyber incident under DFARS 7012. Getting this line right prevents both over-reporting and missed reports. (3.6.1 / 7012)
  3. 3Roles and responsibilities — a named, accountable incident lead (a role with an owner, not just 'the IT team'), plus IT/security, executive sponsor, legal/contracts, HR, communications, data owner, and prime/customer contact. (3.6.1[a])
  4. 4Preparation — tools, logging, training, and the reporting channels that let users and systems flag trouble. (3.6.1)
  5. 5Detection & analysis — how alerts become incidents, and how you determine whether CUI/CDI is affected. (3.6.1)
  6. 6Containment, eradication & recovery — isolation, who has authority to pull a system offline, backup validation, and restore approvals. (3.6.1)
  7. 7Reporting matrix — internal officials and external authorities, including the 72-hour DC3/DCISE report and the named person who owns filing it. (3.6.2[c]–2.6.2[f] + 7012)
  8. 8Evidence preservation & forensic imaging — the contain → preserve → report → recover sequence and 90-day retention. (7012(e))
  9. 9Malicious software handling — isolate and submit to DC3. (7012(d))
  10. 10Incident tracking / the incident log — the record for every incident: what, when, who, systems affected, CUI involvement, actions, outcome. (3.6.2[a]–[b])
  11. 11Testing & exercise procedure — the cadence and format for tabletops, and what you capture. (3.6.3)
  12. 12Plan maintenance & version control — review cadence, approver, distribution, revision history.
  13. 13Appendices — contact tree; a certificate + ICF reporting readiness checklist; the incident report form; and a tabletop scenario library.

The structure above is yours to use. If you’d rather have a readiness partner build it, evidence it, and stand behind it for your assessment, see provider categories below.

Can you use a CMMC incident response plan template?

Yes — a template can help you start, but it only works if you customize it to your CUI/CDI boundary, your actual systems, your reporting authorities, your evidence workflow, and your testing records. The risk isn’t using a template; it’s using one that nobody at your company can execute or prove.

The structure in the previous section is a working template. The failure mode we see is contractors treating a downloaded document as the deliverable, when the deliverable is the operating capability the document describes. Walk away from any template that:

Those aren’t cosmetic gaps — each one is a missing assessment objective.

What a C3PAO actually checks in your incident response domain

Answer: A C3PAO evaluates your IR domain with the examine/interview/test methods from NIST SP 800-171A, and for this domain assessors want four things present: a written plan covering the full lifecycle, documented roles with an accountable incident lead, evidence the capability was tested, and an incident log. A plan that reads well but was never run — and can’t be shown running — does not pass.

The CMMC Assessment Guide — Level 2 confirms the same guide supports both self-assessment and certification assessment, and that your scope has to be defined before the assessment starts. Here’s what each method looks like in the IR domain.

Examine

Documents and records

  • Incident response policy and the plan itself
  • Procedures/playbooks
  • The incident log and any past reports
  • Tabletop materials and the after-action report
  • Training records
  • Your System Security Plan (SSP) references to the IR controls

Interview

Can your people explain it consistently

  • Incident lead can describe escalation
  • Users know how to report suspicious activity
  • IT/security knows how an alert becomes an incident
  • Legal/contracts knows when DFARS 7012 may apply
  • Leadership knows who authorizes external reporting

Test

Does it actually work

  • The alert-to-incident and ticket workflow
  • The contact tree
  • Retrieving evidence on demand
  • Walking a tabletop scenario end to end
Where contractors fail in practice: The most common miss is testing (3.6.3) — a plan exists, but there’s no exercise record. Close behind: a plan nobody can explain in an interview; a phishing simulation offered as the only “test” without showing what happens after the click; a reporting matrix with no external authorities identified; and an incident log that isn’t tied back to the SSP. None of those are prose problems. They’re evidence problems. (Assessment records are kept for six years under 32 CFR §170.9 — so build your evidence to last.)

How to test your plan so 3.6.3 passes

Answer: IR.L2-3.6.3 requires you to test your incident response capability, and testing only counts if it’s documented. An annual tabletop exercise — your team walking a simulated incident through the plan — is the most common way to meet 3.6.3, and it holds up as evidence when the record shows the date, participants, scenario, findings, and corrective actions. NIST also recognizes checklists, walkthroughs, simulations, and comprehensive exercises as testing methods.

Does CMMC require a tabletop specifically?

No. The control text says “test the organizational incident response capability.” A tabletop is the most common and defensible method for small and mid-size contractors, but NIST SP 800-171 Rev. 2 lists checklists, walkthrough/tabletop exercises, simulations, and comprehensive exercises as options. Pick the method you can execute and evidence.

Does a phishing test count?

By itself, usually not. A phishing simulation tests awareness and detection — it answers “will someone click?” The IR control asks a different question: then what?Did the report reach the incident lead, did triage happen, was the CUI-impact call made, did the reporting decision get logged? If your only evidence is a click-rate report, you’ve tested the front door and skipped the whole house. Run the “then what” workflow and document it.

Cadence

The control doesn’t fix a specific frequency. An annual exercise, plus a fresh test after a major system change or a real incident, is a defensible cadence — but set it in your policy and then actually hold to it. (This cadence is our editorial recommendation, not a NIST-mandated interval.)

Starter scenarios that map to DIB reality

Scenario to runControls exercisedEvidence to capture
Spoofed email leads to credential compromise3.6.1, 3.6.2, 3.6.3Ticket, escalation log, CUI-impact decision, after-action report
Lost laptop that may hold CUI3.6.1, 3.6.2, DFARS 7012 triageDevice record, data-owner decision, reporting decision
Ransomware on a file server or cloud file store3.6.1, 3.6.2, DFARS 7012(e)Containment record, image/log preservation, ICF reporting decision
A subcontractor reports a CDI incident3.6.2, DFARS 7012(m)Incident report number, prime-notification record

Your after-action report should capture: date, scenario, participants, systems in scope, the CUI/CDI-impact decision, the reporting decision, actions taken, evidence produced, gaps found, corrective actions with owners and due dates, and closure. That document is your 3.6.3 evidence. Need scenarios? CISA publishes free tabletop exercise packages you can adapt.

How incident response differs by CMMC level

Answer: CMMC Level 1 (Federal Contract Information only) has no dedicated incident response control, though a contract carrying DFARS 252.204-7012 still imposes the 72-hour reporting duty. Level 2 (CUI) requires the full IR domain — 3.6.1, 3.6.2, and 3.6.3 — plus the DFARS reporting workflow. Level 3 adds enhanced incident response requirements from NIST SP 800-172 for the most sensitive programs, assessed by the government’s DIBCAC.
LevelData in scopeIncident response obligationAssessment type
Level 1Federal Contract Information (FCI)No dedicated IR control among the 15 FAR 52.204-21 safeguards. But any contract with DFARS 252.204-7012 still triggers the 72-hour reporting duty.Annual self-assessment
Level 2Controlled Unclassified Information (CUI)The full IR domain: 3.6.1, 3.6.2, 3.6.3, plus operationalizing DFARS 7012.Self-assessment or C3PAO, set by the contract clause
Level 3Highest-sensitivity CUI / APT-relevant programsLevel 2 plus a subset of NIST SP 800-172 enhanced requirements.DIBCAC (Defense Industrial Base Cybersecurity Assessment Center)

Sources: 32 CFR Part 170; FAR 52.204-21; NIST SP 800-172.

Why it’s live right now. The CMMC Program Rule (32 CFR Part 170) took effect December 16, 2024, and the DFARS acquisition rule — which put DFARS 252.204-7021 into contracts — took effect November 10, 2025. We’re in Phase 1 (November 10, 2025 through November 9, 2026), focused mainly on Level 1 and Level 2 self-assessments. Phase 2 begins November 10, 2026: DoD intends to add Level 2 (C3PAO) assessment as a condition of award for applicable solicitations. The clause can appear in your next solicitation, option year, or subcontract flow-down — which is why “we’ll get to IR later” is a shrinking option. See our CMMC Final Rule timeline for the full phase schedule.

Do you need an RPO, MSSP, GRC platform, or C3PAO for incident response?

Answer: The right help depends on the gap. If you have IT/security staff who know your CUI environment, this plan is a template-plus-tabletop you can finish in-house. If you lack a security lead, run a complex or multi-enclave environment, or you’re heading into a C3PAO assessment, an RPO or CMMC-focused MSSP usually earns its fee — and remember that readiness help and formal assessment are separate roles that must stay separate.
If your gap is…Consider this categoryWhat to verify before you hire
The plan is generic or not mapped to CMMCRPO / RP (Registered Provider Organization / Registered Practitioner) or virtual CISOCMMC experience, scoping method, how they map evidence to objectives
You can’t detect or respond operationallyMSSP / SOC / managed detectionWhether they cover your CUI boundary, log sources, escalation SLAs, evidence exports
Your evidence is scatteredGRC platform (governance, risk, compliance software)SSP/POA&M linkage, ticketing, audit trail, exportability — software organizes evidence; it doesn’t satisfy CMMC on its own
You may have a real incidentIncident-response retainer + counselForensics capability, privilege strategy, DFARS 7012 experience
You’re assessment-readyC3PAOCurrent Cyber AB Marketplace status, independence, assessment scope
A firm independence rule:A C3PAO must comply with the Accreditation Body’s conflict-of-interest, ethics, and professional-conduct policies (32 CFR §170.9(b)(2)), and the CMMC Assessment Process requires the C3PAO to identify and mitigate conflicts before an assessment begins. In practice, a firm that provided your readiness or consulting work generally cannot also be the C3PAO that assesses you. Keep your readiness partner and your assessor separate, on purpose.
Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

Find My CMMC Path →Non-sensitive questions only. No CUI, no incident specifics.

What to do if you find a possible incident before your plan is ready

Answer: Don’t wait to perfect a document. Preserve evidence, pull in leadership and legal, determine whether Covered Defense Information or a covered system is affected, follow current DC3/DCISE instructions if DFARS 252.204-7012 applies, and keep sensitive details out of any marketing or matching form.

First hour

  • Stop further damage where it's safe to do so.
  • Preserve logs — do not delete, reimage, or alter systems without guidance.
  • Identify affected systems and accounts.
  • Determine whether CUI/CDI may be involved.
  • Notify your incident lead and legal/contracts.

First 24 hours

  • Determine whether DFARS 7012 applies to the affected contract.
  • Pull your contract identifiers (contract number, CAGE code, UEI).
  • If your reporting access or certificate isn't ready, contact DC3/DCISE — don't let a login problem eat your 72 hours.
  • Stage the ICF fields; preserve affected images, logs, and packet capture.
  • Record your timeline and every decision.
If you’re a subcontractor, report directly to DoD and notify the prime or next higher tier (DFARS 252.204-7012(m)). If the 72-hour window is at risk, don’t go quiet — preserve evidence, escalate to legal and contracts, contact DC3/DCISE for reporting assistance, and document your timeline. Do not submit CUI, export-controlled technical data, live indicators of compromise, or contract specifics through this site or any lead-routing form.

How we built this

We wrote this page the way we write every page — by reading the primary sources ourselves and refusing to state a requirement without one. This is editorial decision support, not legal, contractual, or compliance advice.

What we verified ():

What this page is not: legal advice; a guarantee of any assessment outcome; guidance from the Cyber AB, DoD, DCMA DIBCAC, or NIST; a named-provider ranking; or a substitute for a scoped RP/RPO, a qualified federal-contracts attorney, a C3PAO, or incident-response counsel.

Frequently asked questions

What are the CMMC incident response requirements?

For CMMC Level 2, the incident response requirements are NIST SP 800-171 Rev. 2 controls 3.6.1 (incident handling), 3.6.2 (incident reporting), and 3.6.3 (incident response testing). Together they require a documented, operational, and tested incident response capability.

Is an incident response plan required for CMMC Level 2?

Yes in practice. Level 2 requires an implemented and tested incident response capability, and the CMMC Assessment Guide lists the incident response plan and related records as evidence a C3PAO can examine. A documented plan is the standard way to organize and prove that capability. Level 1 (FCI only) has no dedicated incident response control.

Can the incident response controls go on a POA&M?

Controls 3.6.1 and 3.6.2 cannot — they are worth 5 points each in the DoD Assessment Methodology, and 5-point controls are barred from a POA&M, so they must be fully implemented for even conditional certification. Only 3.6.3 (1 point) is POA&M-eligible and must be closed within the 180-day conditional window.

What must be reported within 72 hours under DFARS 252.204-7012?

Any cyber incident affecting a covered contractor information system, the Covered Defense Information on it, or the contractor's ability to perform operationally critical support. Reports are filed within 72 hours of discovery through the DoD Cyber Crime Center's DCISE using the Incident Collection Format (ICF).

Where do I report a cyber incident now that DIBNet is gone?

The legacy DIBNet portal was retired on June 6, 2025. Reports now go through DC3/DCISE using the Incident Collection Format: complete the ICF, submit the generated file to DC3 via encrypted email or DoD SAFE, and DC3 assigns an incident number. Isolated malicious software goes to DC3, not the Contracting Officer. Verify current DC3/DCISE instructions before filing.

Does a medium assurance certificate matter, and how do I get one?

Yes — you need a DoD-approved medium assurance certificate (a CAC or ECA) to reach the reporting portal. Obtain it in advance from a DoD-approved External Certification Authority; if an incident hits before you have one, DC3/DCISE provides a contact path for reporting assistance.

Does my incident response plan affect SPRS or DFARS 252.204-7019 / 252.204-7020?

Indirectly, yes. The IR controls affect your NIST SP 800-171 / CMMC Level 2 score because 3.6.1 and 3.6.2 are 5-point controls and 3.6.3 is a 1-point control. Under DFARS 204.7302(b) and DFARS 252.204-7019, a contracting officer verifies a current NIST SP 800-171 DoD Assessment score is posted in SPRS before award, option exercise, or extension when NIST SP 800-171 is required. DFARS 252.204-7020 covers DoD assessment access and subcontractor flow-down.

Does CMMC require a tabletop exercise?

CMMC requires testing the incident response capability (control 3.6.3). A tabletop is the most common accepted method, but NIST also recognizes checklists, walkthroughs, simulations, and comprehensive exercises. The test must be documented.

Does a phishing test count as incident response testing?

Not by itself. A phishing simulation tests awareness and detection, while the incident response control asks whether your response process works after an event — triage, escalation, the CUI-impact decision, the reporting decision, and recovery. Document that workflow, not just a click rate.

What is the difference between CUI and CDI in the plan?

CUI (Controlled Unclassified Information) is the broad government-wide category. CDI (Covered Defense Information) is the DFARS 252.204-7012 term for controlled technical information and other CUI tied to DoD contract performance. Your plan should account for both, because CMMC and DFARS use related but distinct terms.

Can a C3PAO help write my incident response plan?

Be careful. A firm that provided your readiness or consulting work generally cannot also serve as the C3PAO that certifies you, under the conflict-of-interest rules in 32 CFR §170.9 and the CMMC Assessment Process. Keep readiness help and formal assessment separate to protect your certification.

Does CMMC replace DFARS 252.204-7012?

No. They are separate obligations that operate together. CMMC verifies your NIST SP 800-171 implementation; DFARS 252.204-7012 imposes the 72-hour cyber incident reporting duty, and it continues to apply.

Choose the right CMMC path before you hire

Need help deciding what type of CMMC provider you need? Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.

Find My CMMC Path →

Do not submit CUI, drawings, or sensitive contract details. Provider-matching may generate referral or lead-routing compensation, disclosed at the point of recommendation.

The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance. This article is educational research, not legal, contractual, or compliance advice. The contract clause and your CUI handling set your obligations, not a checklist. Confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney. Provider-matching may generate referral or lead-routing compensation, disclosed at the point of recommendation. Last reviewed: · Primary sources verified: